Does AdGuard prevent misuse of font files?

[the-moog]

Issue Details

I am sure this is a well known practice and I am just behind the times, but I think I caught a way Amazon are bypassing cookie and do-not-track type rules using font files.

I have the AG browser extension installed but I think it missed this ruse, is that correct? What does AdGuard do (configured out of the box) to to prevent the following.....

I sometimes get a Firefox hang with a LOT of GPU and GPU memory usage. (3GB+ for a single tab) Indeed why I run AdGuard as this is always related to Google ads. I've caught ads from various sources (I am assuming some sort of syndication), usually obfusticated in some way,though sometimes blatantly using rather obvious JScript function names exposing their purpose. Like CreateThread(_mineCoinWorker) or _AItrain(data) etc. So I know people (or manbe even orgs; Google et al... hm?..) are creating fake adds that nobody reads in order to get access to free GPU hours x 100's of millions of instance's. Originally to mine, but not to train (or mine) data. btw Why didn't BOINC think of this, we'd have ET's phone number by now and be able to watch ETTV.

Daft thoughts aside, this one was different... I noticed in the hang and I did the using search round the debugger to find how they'd got around AdGuard, I was expecting to find and ad or something on some page (sometimes even a hidden field) on one open tab with the usual _mine_stuff() call but nope. Nothing. Just a thread that was waiting for an event (a mutex release) that will never happen... Meanwhile swallowing memory at about 0.3MB/s

I could not work out why the same tab kept on hanging up the entire machine. Every time I clicked on the link for a certain item from a certain seller. Even did it after restarting FF and doing reload session. Then I realised. While watching the pages load in the integrated debugger I could see the tab stopping while loading one of several .woff files.

A WOFF font file called something like (and I wish I new how to capture this) amazonWSCloudfrontHelvetica_ce07ba5.....65e300..05bad85.woff (anyway. A very, very long name, (mostly in hex) that clearly was a font file but a very odd and abused one. I tried opening said file and that crashed the font viewer. So, not a font then. So I am assuming it's not a real font at all. It is just loading a file. And there were a lot of files with similar names in the cache (hmm... ,Helvetica seems a popular font - why so many though?) Five attached to that hung tab alone.

To the reason it was hanging? Is this caused by AG? Get on with it...

In another browser window (not the same FF instance) I had Googled for items similar to those I was looking for to see if I could get it at a more reasonable price (an aluminium can chipper/shredder) and Google results had that same font file open and another tab on that browser window had also hung. I guess the other window was also hung at the same piece of code from Amazon - both waiting on each other for something that won't happen as another tab (no idea what was on it) had crashed, In any case they were both waiting for each other (or something else) All this was very repeatable.

I killed the tab with the GPU session behind the mutually locked and cleared the browser cache, deleting thse 'fonts' in the process, then it was fine.

So, my concern is what does this mean? Is this something AdGuard should worry about?

Are Google or Amazon exchanging information in real time between two different browser instances on the same machine using a woff font file as a combined transport and fingerprint or cookie. Is this a way to bypass cookie legislation? In this case I am fairly sure it was to ensure I was directed towards the same item from the same vendor (or other similar ones also from Amazon or EBay from said vendor) I am guesing that's all the same drop-shipper with multiple shopfronts and prices. I know the item is also available as a branded thing at a vastly greater price, and found it odd that Google struggled to find anything like it elsewhere even omiting Ali Express. Could that be restrictive market practices to add to the list as well, then..? A marketing Sandbox as a Service.....(oh SASS, that name is taken - so probably no...)

What I am sure: Nobody needs dozens of 'helvetica' fonts, especially one one page. The code I looked at was buried in Mozilla threads some partly running on the GPU from a tab- no idea what they were doing or how to capture that again. Is that normal? Amazon pages are not that 3D.

• I don't think sellers can make use of their own fonts on Amazon listings even if they wanted to?
• Even with a different file name, font metadata defines the font, so two files should always be the same and not of arbitrary length if they are the same font. Unless the name is the data of course,.
• A font does not need 100's of characters in the file name to define a standard font.
• No normal website would make the file name of a common resource random. If you did that then your server's cache would be hammered by requests for the same file..

After all fonts are just glyphs and lookup tables, Hmm. Thought, though. They can be Adobe Postscript. PS is a fully Turing Complete language - I wonder how easy it is to write a Postscript interpreter VM in JS and what you could either hide or get away with once you had one. My book on the PS language is very thin indeed by far my thinnest tech book, PS is not a complex language!! Could this be a low footprint way to escape the browser sandbox to, e.g. unpack an exe or other data. I wish I had the time to find out....

So takeaways: IMO, like any relied upon data, Official font files should be signed to prevent abuse. Are they? Is that even a thing? I can't imagine Amazon have a mouse infestation, chewing at the wires in their datacentre, causing filename corruption. Do browsers force use of the font metadata to prevent this and prefer 'official' fonts or can that be subdued? Am I paranoid?.... ...I mean, does AdGuard already handle this? Is the risk of replacing suspicious fonts the real thing (or a typographic equivalent) too tricky without breaking sites randomly?

I just read that Google invented the WOFF2 font standard and supply the reference implementation. - lol.

Proposed solution

No response

Alternative solution

No response

[the-moog]

Addition ref: WOFF2 spec section C3. https://www.w3.org/TR/WOFF2/ Clearly not true.

[alexx7311]

@the-moog Hello! Please describe the process step by step on how to check for these font files.

[alexx7311]

@the-moog any updates?

[alexx7311]

@the-moog We'll close the issue for now, but you can always leave a comment and we'll continue to look into the problem.